Social Engineering: "Hacking" that Doesn't Require a Computer

Wikipedia.org defines Social Engineering as "...the practice of obtaining confidential information by manipulation of legitimate users." These users usually have knowledge of the securities that guard from attackers, and can be tricked into giving away the information that would enable an attacker to gain access.

Social engineers use a practice called the "con game" to gain confidence of someone who has authorized access to a network. The attacker uses this confidence to eventually lead the target user to reveal sensitive information. A social engineer usually targets the weakness of the user which is sometimes their charisma or natural helpfulness. It is the most helpful users who go out of their way to provide the social engineer with information they would not normally be allowed to give out. "Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques" (State of Wisconsin DET). A target may also not be aware of the security implications, or may do it out of carelessness for security.

There are several different methods a social engineer could use to gain information from a legitimate user. Social engineering can take place on two levels, one being physical and the other psychological. Examples of physical settings include phones, the workplace, trash, and the internet. A social engineering could simply scout a workplace for documents containing sensitive information or watch a user type in their password. Someone could also dress up as an employee or worker to gain access to areas they would otherwise not have access to.

The most common type of social engineering is over the phone. Help desks are usually the most prone to this attack. The social engineer calls the help desk and imitates someone in a position of authority or relevance to pull information. An example of this trick relates to PBX, "Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense. Here's a classic PBX trick, care of the Computer Security Institute: "'Hi, I'm your AT&T rep, I'm stuck on a pole. I need you to punch a bunch of buttons for me.'"" (SecurityFocus). Since it's the job of the help desk to be "helpful" and cater to the public as much as possible; it's very easy for them to give up sensitive information that would otherwise seem harmless in nature to give out. The main lesson here is that even the smallest bits of information can be used together to create all the information an attacker needs to gain access to their target.

Other forms of hacking sometime use the practice of social engineering. One example is phishing attacks. Phishing attacks involve e-mail or web-sites that trick a user into giving up personal information. Companies often protect against this by reminding their users to check the headers of e-mail, or the web address toolbar to make sure it is legitimate and not from some unknown source. E-mail phishing attacks involve someone pretending to be part of an official enterprise that asks a user to send their private information or visit a fake website. The fake website sometimes looks exactly like an official business or website the user has visited before and is more trusting in giving up their details. An example would be a fake e-mail that appears to be sent by eBay. Since many people use eBay, they are more used to clicking on links in the e-mail that lead them to a login page. Without thinking, they would enter their details in a fake login page which e-mails their credentials to that unauthorized source without the user realizing it. This would have been avoided if the user simply checked the address toolbar to make sure it was the correct address.

A user could also be tricked into giving up their details by convincing them that the sender of the e-mail is doing security maintenance for the company. Although this seems ridiculous to even amateur security experts, there are still users out there who do not think twice before giving up their credentials to those who claim to be employees. Companies protect against this by repeatedly telling their customers something along the lines of "An employee of [X] company will never ask you to send them your password." Some social engineers are very convincing, though, and can use scare tactics to lead the user into thinking their account has been compromised by a hacker and that they immediately need their login details to correct the situation. The target user is much more willing to give up their information because they are scared they have become victim of an attack and want to do anything they can to protect against it. It's very ironic, but it happens all the time.

The best way to protect against social engineering is to provide more training to employees. Educating them about the existence of social engineering, and what it can do to compromise company security, could greatly decrease the chance of a social engineer or any other unauthorized gaining access to a network or computer system. There are also laws in place that protect sensitive information from being given out to just anyone. Usually many forms of identification or various other security procedures are required before an individual or group can access certain types of data. Even information that would seem redundant like addresses, phone numbers, or model numbers could all be used as small part of a much larger scheme.

Individual users are also victims of social engineering scams, and need to be educated about its existence. Public ignorance can be a weakness exploited by social engineers that want information. Social engineers know this, and that is why they thrive on it. It is a forming of "hacking" that is hard to detect because it can take on so many different forms. Since victims of these attacks usually do not want to admit it, the attacks often go undocumented, and as a result there is less work to be done to investigate it and prevent it from happening in the future.